10 things you can do to secure your web server from attacks

Server security is something that should never be overlooked. One day or another, chances are your server will be under attack and the integrity of your data will be at risk, not mentioning you may lose potential and existing customers in the process.

Here are 10 things you can do to secure your web server from attacks:

1. Updating cPanel

The first thing you want to do is to make sure you have the latest version of cPanel running. You can update cPanel by going to “WHM > cPanel > Upgrade to Latest Version”. You can also achieve the same thing using this command line:

# /scripts/upcp --force

In order to have your server updated automatically, I recommend you enable daily updates by going to “WHM > Server Configuration > Update Preferences”:

2. Securing cPanel and WHM Access

When using an unsecured connection to cPanel and WHM, your username and password are sent as clear text over the Internet. It is advised to use SSL to secure all accesses to both control panels. From WHM, click on “Server Configuration > Tweak Settings” and configure the redirection parameters as follow:

3. Securing SSH

SSH is among the services mostly vulnerable to Brute Force Attacks. The default SSH configuration allows root access on the default port (22). Here’s how to secure the SSH daemon:

Establish an SSH connexion to your server and connect as root.

Edit the SSH daemon configuration file:

# nano /etc/ssh/sshd_config

Set a different port for incoming SSH connections by changing this line:

Port 22

to:

Port 22200

You don’t have to use port 22200 as mentioned above. Refer to this list of common TCP/UDP ports to find a port number that isn’t already in use.

Disable SSH root login by changing this line:

#PermitRootLogin yes

to:

PermitRootLogin no

Save the file and restart the SSH daemon:

# service sshd restart

In order to gain root access through SSH, you will now need to log on as a regular user and then become root by issuing the command:

# su - root

Note that you will first need to add the desired users to the wheel group (WHM > Security Center > Manage Wheel Group Users).

4. Securing Apache and PHP

cPanel allows to easily build and compile Apache and PHP using EasyApache. The first step in securing Apache and PHP is to update both components to the latest version:

Log in to WHM and go to “Softwares > EasyApache (Apache Update)”.

On the first page, select “Previously Save Config” so that you can reuse your server’s current settings.

Click on “Start customizing based on profile”.

When prompted to select which Apache version to build, select the latest stable version. At the moment of this writing, the latest version is 2.4.6.

On the PHP Version page, select the latest stable release (PHP 5.4.20 at this moment).

On the next page, click on “Exhaustive Options List”.

Check the following options: Mod SuPHP, Mod Security and “Save my profile with the appropriate PHP 5 options…”. Leave all other the options set as they were.

Click on “Save and build”.

At this point, rebuilding Apache and PHP may take up to 30 minutes depending on the speed of your server.

Next you must configure suPHP as the PHP handler. By enabling suPHP, the files created by PHP scripts will be owned by the website’s user account instead of the account running the Apache process. To enable suPHP go to “WHM > Service Configuration > Configure PHP and suEXEC”, select “suphp” and click on “Save New Configuration”:

In order to prevent malicious PHP scripts from opening files outside of their home directory, it is recommended to enable open_basedir:

If you’re connecting from a static IP address, you can add it to cPHulk’s white list to avoid locking yourself out of your own server.

8. Installing ClamAV Antivirus

While Linux servers are not prone to viruses as much as Windows-based servers, it is nonetheless a good practice to install an antivirus. Even if your web server is not infected, it could still host a virus intended to infect visitors to your website.

ClamAV is available for cPanel servers as a plugin. Here’s how to enable it:

Go to “WHM > cPanel > Manage Plugins”.

Select “Install and keep updated” next to ClamAV and click on “Save”.

One the ClamAV plugin installation is completed, reload your WHM control panel so that the main menu is updated.

10. Installing a Firewall

This is perhaps the most critical part of hardening a cPanel server. One of the most popular firewall software for cPanel servers is ConfigServer Security and Firewall. CSF not only acts as firewall by scanning various authentication log files, it will also scan your entire system and give you recommendations as to what you can do to increase security.

Once you’ve installed CSF, go to “WHM > Plugins > ConfigServer Security&Firewall” and click on “Check Server Security” to get a list of tips to secure your web server.

Don’t forget to open the new SSH port you’ve defined earlier otherwise CSF will block it. To do this, go to “WHM > Plugins > ConfigServer Security&Firewall > Firewall Configuration”. Find the parameter named “TCP_IN” and add the SSH port to the list.